What I Learned From A WordPress Security Nightmare

By June 13, 2015Branding

It seems we can’t go a full week without reading a headline about a website security breach. Usually the story is about a big corporation because in headline news, the old adage “if it bleeds, it leads” is still applicable in the digital age.

Yet there are countless website security breaches that happen every day on the websites of small businesses, solopreneurs, non-profits, and bloggers that go unreported. These security breaches cause anxiety and stress unlike anything else in business when the website owner(s) and caretaker(s) don’t have a plan in place for a security nightmare.

I know this because such a security nightmare happened to me, and I would like to share what I learned from the experience.

Preface: I am going to change the names of the hosting companies involved because (A) it’s not important who they are because (B) the point of this post is to share from my lack of planning. Oh, and (C) I don’t want to get sued. That too.

wordpress-security-nightmare-act-1

In 2012 my branding shop was in its 5th year of business. We had launched a new website for ourselves built on WordPress, and it was our best one yet. We constantly had compliments of what our website looked like, how we positioned content, and how easy it was to get around.

Around March I received a heads-up email from a peer alerting me to the fact that when he visited our website his browser was now showing him the Red Screen Of Death, and displaying a message that our website “may be harmful to your computer.”

What the heck was going on? I did some digging, and found that some sort of robot or person had managed to get myriad pages of foreign porn onto our website. Google did not like a few lines of code in their work, and the result was a quick contamination of our website.

We had a recent backup, so we simply took down the old, and relied on our backup, changed passwords, scanned it again to find all was well, and let Google know we had addressed what they found. All was well.

wordpress-security-nightmare-act-2

In mid-May I wanted to see how things were going for Brand Shepherd’s search rankings, and to my horror I saw that Google had added a little line of text under our search listing. It was similar wording as what I mentioned above: “This website may be harmful to your computer.” Only this was showing up in a search results page!

We learned that the same foreign porn had repopulated on hidden pages hosted by “us,” and Google cranked up the warning protocol for would-be visitors to our website.

So, again, we removed the infected content, installed a backup, changed passwords, and thought surely this couldn’t happen again…right?

wordpress-security-nightmare-act-3

By this time it’s early June, and our SEO has taken a pretty big hit. I am losing my mind because I am doing everything I know to do, yet we’re still getting attacked.

All was going well until mid-July when I was going to add a new User in our WordPress website, and that’s when I saw that the attackers had hid in plain sight: They had somehow hacked their way into our site, and actually set up a couple of Users for themselves!

I was mortified and embarrassed. How could I not have checked Users as part of the security measures?! Why wasn’t I notified that a new User had registered?

I also then learned that part of our resources were being exploited. We were using a thumbnail generator that was part of a system, and this generator apparently had well-known issues. To give an analogy, it would be like learning that the belts in your car’s engine were made by a third party that was known for faulty belts. It was part of a system that I just simply took for granted because it wasn’t in front of me.

Then the other shoe dropped: I was contacted by our hosting provider alerting me to the fact that the shared server we were on had some kind of vulnerability that was causing the repeated attacks/hacks of the websites that resided on it.

It was like a perfect storm of website security madness. And it wasn’t even over.

wordpress-security-nightmare-act-4

For the next couple of months (and I am embarrassed that it took that long before I left), it was a game of Whack-A-Mole with website hacks, fixes, rinse, repeat.

It got to the point where we couldn’t post new content because we weren’t 100% sure that the backup we would then have to make that included the new content wouldn’t be infected too. It was a mess.

Throughout this part of the ordeal, the most our hosting company offered us were letters of apologies and updates. Keep in mind that this hosting company is renowned for hosting WordPress websites, has a great reputation, but when it comes to crisis management and being reasonable with its customers, they come up short.

I asked for our billing to be prorated to account for all the downtime their servers were causing our website, but that fell on deaf ears. They continued to invoice us in-full, as though services had not been interrupted.

By late summer I had enough, and decided to jump ship to a new hosting provider.

wordpress-security-nightmare-crocodile-tears

Our new host was actually quite great. They had fantastic customer support, the price was right, and soon after we moved there the attacks stopped. It was smooth sailing for a long time. I even recommended this hosting provider to our clients.

But then a while after we moved there, a massive outage in service impacted millions of websites, ours included. The outage was only for 1 day, but it triggered a newly formed no-BS reaction within me. Again I asked that our hosting fees be prorated for the loss of service, but I could almost hear the laughter over the live chat as they declined to do so.

I started asking developers who they trusted for hosting. I wanted names of small hosting companies. No more big providers. I wanted small and security-minded web hosting.

I was given the name of such a hosting provider, and until two months ago we hosted with them.

This past winter I started to get notified through WordPress security plugin Wordfence of attempted logins and how such attempted usernames were being blocked. It started simple enough: Attempts with the usual suspects like “admin” and our business name. Any robot can do that. But then they started to attempt to login with my first and last name. Then they attempted it with the first names of some of our team members. I began to get the impression that this might be a real person, not just a robot.

The nonsense of 2012 came rushing back to me, and I decided to look for an even more secure web host, and I found one.

wordpress-security-nightmare-secure-for-now

Our new host has all sorts of processes in place for security, but the thing that finally sold me on them was the transparency of reality. Their owner told me, “If a hacker really wants to get in, they’re going to get in.”

And that is the unfortunate truth.

Yet we can still take care of a lot of the basics of security, and so long as the hosting provider keeps their promise to keep their end secure, most websites will remain secure.

What I Lost

  • The fiasco of 2012 cost us 100% of our search equity. We had to completely rebuild our search presence, redoing years of work. Google put a big penalty on us for something that wasn’t even our fault.
  • The money that the hosting providers continued to charge us for leaky, hack-prone servers.
  • My time. This was the biggest loss of all. I couldn’t begin to count the hours I put into trying to solve the problems, working with our developer, talking with the host provider, etc. This thing was a massive time-suck.
  • Respect for the hosting industry, especially the shared hosting product. The sales funnel to get you in is filled with glitter and unicorns, but the second you have issues and want to leave, you can’t leave fast enough. The only reputable hosting providers out there are small and unheard of on a mass scale.

What I Learned

  • Backup your website, do so frequently (weekly if you post new content often), and keep the backup offline.
  • Use some freemium services out there like Wordfence Security plugin for WordPress. I get alerts for every successful login now. Imagine if I had that back in 2012? I might have avoided a lot of hassle.
  • Avoid big hosting providers. The telling thing for me was when we left each hosting provider. They couldn’t have cared less, and we couldn’t be gone fast enough. It was startling at how different the enter/exit experiences are with these massive hosting providers is.
  • Have great developers in your corner. I cannot speak highly enough of the devs I’ve had in my corner through every step of the aforementioned nightmare, as well as where we are today. As owner of Brand Shepherd, I need to know enough about our hosting to know what’s up with our corner of the internet, and to make a recommendation to a client. Beyond that, I turn to the experts we hire, even when it’s an in-house issue. Having trusted experts to turn to is crucial when a security nightmare takes place.

I truly hope you never have anything like what I experienced, but if my sharing of these experiences helps you prepare to avoid a security nightmare, then I am glad my having gone through it will help you.

Dan Crask

Author Dan Crask

Hello - I'm Dan Crask. I help brands discover who they are, then express it visually. I co-own Brand Shepherd, am a husband, father of four children, and I don't believe in a work/life balance - it's all life, and all of it matters.

More posts by Dan Crask

Join the discussion 6 Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.